According to Microsoft's Anti-Malware team, definitions 5777 will detect WinNT/F4IRootkit (that's their name for the rookit that have been shipped as part of hot "Sony's XCP software"). The Malicious Software Removal Tool will have the detection for this rootkit too and it will be released as scheduled - 2nd Tuesday next month. Read more below:
http://blogs.technet.com/antimalware/archive/2005/11/17/414741.aspx
More here: Sony XPC Rootkit - Key Info & list of 52 CDs
Courtesy MVP Harry Waldron:
One of my friends in the security field shared an excellent summary of the failed attempt by Sony BMG to better protect their music from Copyright violations. As an ethical individual, I respect the intellectual property rights of those in the music industry. The approach Sony used created harm and potential security issues for innocent loyal customers, who purchased their CDs in good faith.
The rootkit may have appeared to be a good technical solution on the drawing board for better protecting digital rights. However, they didn't exercise risk management and plan well for things that could go wrong, including opening up the customer's PC to emerging security risks based on new malware that takes advantage of the rootkit architecture.
The following provides an update for this issue with several related links:
| Quote: |
| Sony/BMG has just recalled 52 music CDs, all of which came with software which will install "rootkit" spyware programs on your Windows computer. If you have any of these CDs and have played them on your Windows PCs, your computers may be infected with some truly nasty software. This problem does NOT affect Macs or Lunix computers and may not have affected you if you run a secure Windows setup. More than 500,000 computers are known to be infected worldwide. |
List of 52 infected Sony CDs being recalled
http://cp.sonybmg.com/xcp/english/titles.html
More on Sony's recall notice to replace these CDs at no charge to the owner
http://www.usatoday.com/tech/news/computersecurity/2005-11-14-sony-cds_x.htm
The Sony/BMG website has an uninstall program that is supposed to clean up the infection. HOWEVER, as of today, their uninstall program leaves your computer MORE VULNERABLE than before! Check with your anti-virus vendor to see if your AV can clean up this problem.
Microsoft is upgrading their Malicious Software Removal Tool, which is updated once a month. It will soon be updated to remove the XCP modifications that Sony/BMG put on your computer, but it's not available currently. More information can be found at these sites:
Sony BMG's copy-protection problems grow
http://securityfocus.com/news/11357
Mark's Sysinternals Blog Victory!
http://www.sysinternals.com/blog/2005/11/victory.html
Sony's DRM Rootkit: The Real Story
http://www.schneier.com/blog/archives/2005/11/sonys_drm_rootk.html
Secunia Advisory
http://secunia.com/advisories/17408/
US CERT Advisory
http://www.us-cert.gov/current/current_activity.html#xcpdrm
http://www.kb.cert.org/vuls/id/312073
Security issues may surface using Sony's XCP uninstall tools
http://secunia.com/advisories/17610/
http://www.frsirt.com/english/advisories/2005/2454
http://www.freedom-to-tinker.com/?p=927
Security issues may surface using Sony's uninstall for SunnComm MediaMax (another DRM)
http://secunia.com/advisories/17639/
http://www.frsirt.com/english/advisories/2005/2493
http://www.freedom-to-tinker.com/?p=931
Rootkits could mean a complete rebuild for your PC
http://insight.zdnet.co.uk/0,39020415,39237277-4,00.htm
| Quote: |
|
How do we remove rootkits? -- There is only one guaranteed way to remove a rootkit. You destroy the system and then rebuild it. There is no other way to reliable remove a rootkit — no other way whatsoever. You can't delete the file or even reinstall the operating system over the top of the existing OS — which is a horrible practice anyway. It is super important to nuke the system because a rootkit's primary function is stealth — what is it hiding? Do you know? Usually not. How can you reliably know what it was hiding, what it was compromising or what it was removing? |
Key Advice for now: Please do not play CDs using your PC until this issue is fully addressed (or if you do play CDs not on the list, still be vigilant and cautious). It could require rebuilding your PC.
Ideas for Infected Users: If you are currently infected with the XCP software, some standalone tools and removers are available. Do not try to remove this manually unless you have complete directions and you are highly skilled as a computer technician. Your CD-ROM or PC may no longer work properly if you fail to remove the rootkit properly. I believe further “help is on the way“ and infected users might be better served to wait a little while longer until better tools are published.